Curt <cu...@free.fr> writes: > On 2013-11-02, Joe Pfeiffer <pfeif...@cs.nmsu.edu> wrote: >>>> >>>> Again -- isn't "basically equivalent to giving everyone uid=0." Permits >>>> someone who *has* sudo access to avoid retyping a password. >>> >>> Not only that. Permits someone who already has sudo access to continue >>> having such access indefinitely, ignoring being excluded from sudoers >>> altogether. >> >> You made a specific claim, that sudo without patches is "basically >> equivalent to giving everyone uid=0". You have yet to say anything that >> even begins to substantiate that claim. >> > > How about this bug: > > http://www.sudo.ws/sudo/alerts/sudo_debug.html > > Impact: Successful exploitation of the bug will allow a user to run arbitrary > commands as root. > > Exploitation of the bug does not require that the attacker be listed in the > sudoers file. As such, we strongly suggest that affected sites upgrade from > affected sudo versions as soon as possible.
OK, there has been a bug that will cause the claimed behavior if the sysadmin updated his system between February and November 2011 but not since, and you've got a seriously malicious user. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1bvc09paki....@snowball.wb.pfeifferfamily.net
